SCP (Service Control Policy)
💡 Definition
Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization.
🔑 Key Concepts
- Guardrails: SCPs act as a filter. They don't grant permissions; they restrict them.
- Hierarchy: Can be applied to the Root, OUs, or individual Accounts.
- Root User Restriction: SCPs affect all users in a member account, including the root user.
- Intersection: A user needs BOTH an IAM permission (Allow) AND the SCP must allow it (or not deny it).
⚙️ How it Works
- Define Policy: Write a JSON policy (similar to IAM).
- Attach: Attach it to an OU (e.g., "Production").
- Enforce: If the SCP says "Deny S3", no one in that OU can use S3, even if their IAM policy says "Allow S3".
🎯 Use Cases
- Region Restriction: Prevent deploying resources in non-approved Regions (e.g., prevent usage outside of
us-east-1). - Service Restriction: Disable expensive services (e.g., Redshift) in development accounts.
- Security Baseline: Prevent disabling CloudTrail or Config.
💰 Pricing Model
- Free feature of AWS Organizations.
📝 Exam Tips (CLF-C02)
- SCPs are part of AWS Organizations.
- They limit permissions; they do not grant them.
- They apply to the Root User of member accounts.
- They do not apply to the Management Account itself.
See Also: * AWS Organizations * IAM